I am trying to set up pam authentification using ldap from Debian jessy to an SLES11 server without success. I always receive a wrong credentials return althoug it can successfully bind usind ldapsearch. Following are the ldap log outputs vor the cases I perform:
ldapsearch -D uid=testuser,ou=people,dc=our-domain,dc=de -W -H ldap://192.168.100.11 'uid=testuser'
slapd[4628]: conn=1072 fd=18 ACCEPT from IP=192.168.100.12:59539 (IP=0.0.0.0:389)
slapd[4628]: conn=1072 op=0 BIND dn="uid=testuser,ou=people,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1072 op=0 BIND dn="uid=testuser,ou=people,dc=our-domain,dc=de" mech=SIMPLE ssf=0
slapd[4628]: conn=1072 op=0 RESULT tag=97 err=0 text=
slapd[4628]: conn=1072 op=1 SRCH base="ou=people,dc=our-domain,dc=de" scope=2 deref=0 filter="(uid=testuser)"
slapd[4628]: conn=1072 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[4628]: conn=1072 op=2 UNBIND
slapd[4628]: conn=1072 fd=18 closed
Login attempt using the following /etc/pam_ldap.conf:
host 192.168.100.11
base ou=people,dc=our-domain,dc=de
ldap_version 3
Results in
slapd[4628]: conn=1073 fd=18 ACCEPT from IP=192.168.100.12:59540 (IP=0.0.0.0:389)
slapd[4628]: conn=1073 op=0 BIND dn="" method=128
slapd[4628]: conn=1073 op=0 RESULT tag=97 err=0 text=
slapd[4628]: conn=1073 op=1 SRCH base="ou=people,dc=our-domain,dc=de" scope=2 deref=0 filter="(uid=testuser)"
slapd[4628]: conn=1073 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[4628]: conn=1073 op=2 BIND dn="uid=testuser,ou=people,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1073 op=2 RESULT tag=97 err=49 text=
slapd[4628]: conn=1073 op=3 BIND dn="" method=128
slapd[4628]: conn=1073 op=3 RESULT tag=97 err=0 text=
slapd[4628]: conn=1073 op=4 BIND dn="uid=testuser,ou=people,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1073 op=4 RESULT tag=97 err=49 text=
slapd[4628]: conn=1073 op=5 BIND dn="" method=128
slapd[4628]: conn=1073 op=5 RESULT tag=97 err=0 text=
slapd[4628]: conn=1073 op=6 UNBIND
slapd[4628]: conn=1073 fd=18 closed
And the login attempt using the following /etc/pam_ldap.conf:
host 192.168.100.11
base ou=people,dc=our-domain,dc=de
ldap_version 3
rootbinddn cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de
Results in
slapd[4628]: conn=1076 fd=18 ACCEPT from IP=192.168.100.12:59543 (IP=0.0.0.0:389)
slapd[4628]: conn=1076 op=0 BIND dn="cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1076 op=0 BIND dn="cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de" mech=SIMPLE ssf=0
slapd[4628]: conn=1076 op=0 RESULT tag=97 err=0 text=
slapd[4628]: conn=1076 op=1 SRCH base="ou=people,dc=our-domain,dc=de" scope=2 deref=0 filter="(uid=testuser)"
slapd[4628]: conn=1076 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[4628]: conn=1076 op=2 BIND anonymous mech=implicit ssf=0
slapd[4628]: conn=1076 op=2 BIND dn="uid=testuser,ou=people,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1076 op=2 RESULT tag=97 err=49 text=
slapd[4628]: conn=1076 op=3 BIND dn="cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1076 op=3 BIND dn="cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de" mech=SIMPLE ssf=0
slapd[4628]: conn=1076 op=3 RESULT tag=97 err=0 text=
slapd[4628]: conn=1076 op=4 BIND anonymous mech=implicit ssf=0
slapd[4628]: conn=1076 op=4 BIND dn="uid=testuser,ou=people,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1076 op=4 RESULT tag=97 err=49 text=
slapd[4628]: conn=1076 op=5 BIND dn="cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de" method=128
slapd[4628]: conn=1076 op=5 BIND dn="cn=adminaccount,ou=daemonadmins,dc=our-domain,dc=de" mech=SIMPLE ssf=0
slapd[4628]: conn=1076 op=5 RESULT tag=97 err=0 text=
slapd[4628]: conn=1076 op=6 UNBIND
slapd[4628]: conn=1076 fd=18 closed
To me it looks like the password is in fact wrong since the search finds the entry. I also tried different settings for the pam_password entry in /etc/pam_ldap.conf without any visible changes.
Is there any difference in how PAM sends the password to the LDAP server compared to ldapsearch?
Best Answer
The Problem turned out to be the local accounts. I noticed I could log in with an existing local account by providing either its local or the
LDAPpassword. In the latter case it would bind successfully on theLDAPserver.To allow users without an exising local account I had to install
libpam-mkhomedirand add it to/etc/pam.d/common-session(as well as removing ansshgroup membership requirement which only specific to my case). Now the login without exising local accounts work.I can not explain how a missing local account results in an unsuccessful bind on the
LDAPserver since the logs show no explanation for any kind of different behaviour. If someone could share some light on this I would be very interested in finding out.